Daniel Kopeček: IPC interface access control

I have already covered how to configure usbguard-daemon IPC access control in a previous post. However, the 0.7.0 release introduced another way to configure the same thing with more control over who can do what.

Previously, one could only enable a user or group to use the whole IPC interface. With the new ACL system, the access can be limited to specific sections of the interface and specific privileges inside that section.

The available sections and privileges are:

Section: Devices

modify: Change authorization state of devices including permanent changes (i.e. modification of device specific rules in the policy).

list: Ability to get a list of recognized devices and their attributes.

listen: Listen to device presence and device policy changes.

Section: Policy

modify: Append rules to or remove any rules from the poli‐ cy.

list: Ability to view the currently enforced policy.

Section: Exceptions

listen: Receive exception messages.

Section: Parameters

modify: Set values of run‐time parameters.

list: Get values of run‐time parameters.

To use this new system, you first have to modify the usbguard-daemon configuration and set the IPCAccessControlFiles setting to point to a location where the ACL definition files will be stored, for example: /etc/usbguard/IPCAccessControl.d/.

Once set, you can use the usbguard CLI to define the ACL. For example: